[转载]Keyboard Interrupt Hook using I/O APIC

bini

Keyboard Interrupt Hook using I/O APIC(ZT)
+ W+ z$ W2 ^" `' [5 N% E
Keyboard Interrupt Hook using I/O APIC

8 F6 j1 Z6 N% j/ D# E4 X: Q9 H- [By: chpie
; m! e9 ?! P7 m+ W8 oKeyboard Interrupt Hooking by manipulating the I/O APIC
, z9 ?: p' T( ?- z/ Jtested on the winXP, Pentium D Hyper-threading Enabled.

. f$ ~6 y0 f5 C) g7 |
# V. M. N8 x) h( A2 j( N- i! l4 TSummary :: Using the 8259a compatible PIC to be deliver the interrupt
signal by Delivery mode of the I/O APIC to be the ExtINT,
the interrupt related by the IRQ 1 able to be not refer
4 _  ]4 ^; a- ^% @" t" ithe I/O APIC's Redirection Table.
# M: {) R3 i. w, }
- It is higher priority of the hooking than the direct
! Z& t  E" [" v9 ^0 xmodification of the I/O APIC's vector.
- The vector can be hidden on the thread getting the keyboard
' @! A# \- h; o& ?" B, F! Mvector from the I/O APIC.
7 k1 C0 |8 a3 _3 D* M7 o2 a- H# M
Flow ::
* g: I- q- [2 T
. U8 r5 |& E  M% z6 b( f  B1. IRQ 1 Assert !!!
2. The I/O APIC receives the signal and refers the I/O Redirection table.
6 \+ l! ~: X3 r% j% C7 x( z7 z( s3. Sending the signal from the destination Local APIC.
4. Local APIC pass the signal to the processor for its delivery mode ExtINT
. J+ m, Z' A7 @1 W, n5 i5. A processor receives the signal.
- L0 O- ~% R& Q4 T6. The processor Assert the INTA signal.
; a/ J* C% T' G$ ^0 a* v  z7. The I/O APIC acknowledged.
0 T  i2 }  P7 X; q4 B  ^8. The processor Assert the second INTA signal.
9. The I/O APIC delivers the signal to the 8259a compatible PIC
for ExtINT to its Delivery mode.
5 s2 l, I# p: ~, `10. 8259a compatible PIC sends 2 bytes after second INTA pulse.
3 L1 C4 _( L8 Z. T5 U3 e11. The processor execute 2 bytes sended.
  M0 S& u) k1 I2 ^5 ]12. our interrupt handler executed.
- o# y; h7 ?# B* A
- u% @2 s6 H0 F& H
sourcecode and binary are available on the
http://www.rootkit.com/vault/chpie/apic_keyboard.zip